This repository was archived by the owner on Oct 4, 2023. It is now read-only.
This repository was archived by the owner on Oct 4, 2023. It is now read-only.
Replace multispinner with another one #924
Open
Description
Found an issue or bug with electron-vue? Tell me all about it!
Questions regarding how to use electron or vue are likely to be closed as they are not direct issues with this boilerplate. Please seek solutions from official documentation or their respective communities.
Describe the issue / bug.
Now lodash.merge has a security issue and lodash.merge is used in multispinner. There is a pull request to update lodash.merge in multispinner: codekirei/node-multispinner#5
But it has not been merged yet, so the security issue is not fixed.
In electron-vue, mutlispinner is only used in build script.
I think that it is possible to replace multispinner with another spinner library, what do you think?
How can I reproduce this problem?
#
vue init simulatedgreg/electron-vue my-projectnpm installnpm audit- The security issue is shown
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash.merge │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.6.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ multispinner [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ multispinner > lodash.merge │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1066 │
Tell me about your development environment.
- Node version: 10.16.3
- NPM version: 6.9.0
- vue-cli version: 2.9.6
- Operating System: Ubuntu 18.04
If you are looking to suggest an enhancement or feature, then feel free to remove everything above.
Metadata
Metadata
Assignees
Labels
No labels